From 7eb09408393faa5b8f3b3524c39cb93d938e8d04 Mon Sep 17 00:00:00 2001
From: arch <arch@local>
Date: Thu, 6 Jul 2023 20:33:44 +0200
Subject: [PATCH] add additionalKeyFiles option to luks

---
 example/complex.nix  | 1 +
 example/luks-lvm.nix | 1 +
 lib/types/luks.nix   | 7 +++++++
 tests/lib.nix        | 1 +
 4 files changed, 10 insertions(+)

diff --git a/example/complex.nix b/example/complex.nix
index 9f317c2..722cea5 100644
--- a/example/complex.nix
+++ b/example/complex.nix
@@ -32,6 +32,7 @@
                 type = "luks";
                 name = "crypted1";
                 settings.keyFile = "/tmp/secret.key";
+                additionalKeyFiles = ["/tmp/additionalSecret.key"];
                 extraFormatArgs = [
                   "--iter-time 1" # unsecure but fast for tests
                 ];
diff --git a/example/luks-lvm.nix b/example/luks-lvm.nix
index 3d4d857..acadad6 100644
--- a/example/luks-lvm.nix
+++ b/example/luks-lvm.nix
@@ -33,6 +33,7 @@
                 # if you want to use the key for interactive login be sure there is no trailing newline
                 # for example use `echo -n "password" > /tmp/secret.key`
                 settings.keyFile = "/tmp/secret.key";
+                additionalKeyFiles = ["/tmp/additionalSecret.key"];
                 content = {
                   type = "lvm_pv";
                   vg = "pool";
diff --git a/lib/types/luks.nix b/lib/types/luks.nix
index c5833f6..ed6a29d 100644
--- a/lib/types/luks.nix
+++ b/lib/types/luks.nix
@@ -44,6 +44,12 @@ in
         };
       '';
     };
+    additionalKeyFiles = lib.mkOption {
+      type = lib.types.listOf diskoLib.optionTypes.absolute-pathname;
+      default = [];
+      description = "Path to additional key files for encryption";
+      example = ["/tmp/disk2.key"];
+    };
     initrdUnlock = lib.mkOption {
       type = lib.types.bool;
       default = true;
@@ -82,6 +88,7 @@ in
         cryptsetup luksOpen ${config.device} ${config.name} \
           ${toString config.extraOpenArgs} \
           ${keyFileArgs}
+        ${toString (lib.lists.forEach config.additionalKeyFiles (x: "cryptsetup luksAddKey ${config.device} ${x} ${keyFileArgs}"))}
         ${lib.optionalString (config.content != null) config.content._create}
       '';
     };
diff --git a/tests/lib.nix b/tests/lib.nix
index 05985ca..aca1102 100644
--- a/tests/lib.nix
+++ b/tests/lib.nix
@@ -135,6 +135,7 @@
 
         machine.start()
         machine.succeed("echo -n 'secretsecret' > /tmp/secret.key")
+        machine.succeed("echo -n 'additionalSecret' > /tmp/additionalSecret.key")
         ${lib.optionalString (testMode == "direct") ''
           machine.succeed("${tsp-create}")
           machine.succeed("${tsp-mount}")